NIS2 and NEN 7510 in healthcare: 4 questions and answers

NIS2 in Dutch healthcare: 4 questions and answers

Are you a CISO in the Dutch healthcare sector? Then you know that one of the biggest challenges is balancing between providing good care quickly and ensuring optimal security. 'A healthcare provider who needs to treat someone urgently doesn't want to have to log in with MFA,' says Niels van der Meij, Principal Security Consultant and IT auditor (RE) at Secura. He does a lot of work for the Dutch public sector, including healthcare.

Van der Meij foresees more discussion about the tension between healthcare and security as NIS2, the new European cybersecurity directive, arrives. 'I expect that the standards from the Dutch NEN 7510 will become more heavily weighted and formalized now that they will also become mandatory from NIS2.'

What exactly does NIS2 mean for healthcare? How does NIS2 relate to NEN 7510? Van der Meij and his colleague Mario Sleegers, NIS2 expert, answer 4 questions about NIS2 for healthcare.

1. What is the main difference between NEN 7510 and NIS2?

NEN 7510 is a sector-related framework focused on Dutch healthcare organizations. NIS2 is an EU legal directive aimed at making critical organizations more cyber resilient, says RE auditor Van der Meij. He knows the NEN 7510 standards framework well.

'A hospital, to give an example, meets the requirements of NIS2 by becoming NEN 7510 compliant. Of course, you do not yet fully comply with NIS2 if you are NEN 7510 compliant. But if you can demonstrate through certification or an assurance report that follow this standard, that at least covers the basis for NIS2 compliance.' NEN 7510 certification is not mandatory under NIS2.

'There is no certification for NIS2,' Mario Sleegers, NIS2 consultant, adds. 'I don't expect there will be one, because we already saw with the predecessor of NIS2 - the WBNI - that the capacity for verification is limited.' This means that NIS2 compliance in healthcare will largely be measured through the already existing NEN framework.

The NEN standard is being updated to better align with NIS2. 'In the original planning, an update of the NEN 7510 standard was to come in the middle of 2024,' says Sleegers. 'But the NIS2 update will cause some delay, I expect.'

2. We are working toward NEN 7510 certification. What do we need to do to be ready for this?

The NEN 7510 framework - like many other frameworks - consists of two parts, says Van der Meij: 'The basis describes in general terms what your organization needs to look like, for example in the areas of governance, risk management and the Information Security Management System (ISMS). In addition, the framework contains specific standards that you, as an organization, must translate into concrete measures.'

Every organization is free to define the standards in their own way, Sleegers says. 'That is because a standard must be able to apply to an organization of 10 but also to a company of 1,000 employees. This means organizations choose what concrete measures they take to meet a standard based on what is appropriate.'

For example, for small healthcare institutions with a modest number of employees, access rights management can be completed with a brief authorization matrix and limited separation of roles and rights. A large institution with thousands of employees will have to keep a detailed overview of accounts, roles and rights for each system.

The basic assumption of the NEN standard that an employee must have a care relationship with the patient or client will therefore lead to more extensive and specific measures for a large institution than for a small institution.

Because every organization interprets the standards of NEN 7510 itself, it is difficult to give a general indication of when an organization is ready for certification. Still, there are points for attention, says Van der Meij: 'During an NEN 7510 implementation process, we often see that the ISMS is not completely complete. It also happens that the standards are not always translated correctly into concrete measures.'

3. We follow NEN 7510. What do we still need to do for NIS2?

An organization who can demonstrate compliance with NEN 7510, for example, through certification or an audit report, is already on the road to NIS2 compliance, say Sleegers and Van der Meij. Still, there are a few areas where additional measures are needed to comply with NIS2:

1 Management accountability and training requirements. NIS2 explicitly holds management responsible for cybersecurity. This is noteworthy, says Sleegers: 'This executive responsibility exists in almost no framework. We see that with NIS2 it has really shifted from the IT department to upper management: the board is expected to understand the organization's cyber risks and be able to approve corresponding measures.'

'In practice, of course, this is complex because most people on hospital boards are not experts in this area.' That's why NIS2 requires training and education of the board.

2 Risk management is going to weigh more heavily. One of the most important pillars of NIS2 is risk management. 'You see risk management reflected in NEN 7510, of course, but in NIS2 it carries much more weight,' says Van der Meij.

'Healthcare institutions will have to look more closely at their risk analyses. Internal audits will not only have to assess whether the measures from NEN 7510 have been implemented, but also whether a risk analysis has assessed whether new threats, such as ransomware attacks, are sufficiently controlled. If this is not the case, additional or more severe measures will have to be taken to meet the requirements of NIS2. A check mark will no longer be sufficient. I expect this will really become a point of focus, because NIS2 enforces it.'

3 Security management of suppliers is more important. NIS2 requires organizations to monitor the security of their suppliers. 'This is a fairly new development that you can also see, for example, in the automotive industry at the moment,' says Sleegers. 'But securing the entire supply chain takes a lot of effort and is a long-term issue.'

As a healthcare provider, how can you ensure that, for example, healthcare application suppliers pay enough attention to security? Sleegers: "The most obvious way to do that is through the contracts with these parties. To map the state of a vendor's security, a Vendor Assessment can help.

4 Incident reporting will be expanded. NIS2 imposes additional incident reporting requirements. Sleegers: 'In short, organizations must report more and faster. Especially the second point will require effort, because a report is preceded by many steps.'

Download the NIS2 Incident Flowchart

What does NIS2 ask of healthcare facilities when it comes to reporting cyber incidents? What do you need to report? What is the timeline? Mario Sleegers and his colleagues have listed the NIS2 reporting requirements in a convenient flow chart.

4. What if our organization complies with NEN 7510 but not with NIS2?

NIS2 distinguishes between 'essential' and 'important' entities, says Mario Sleegers. For 'essential' organizations, compliance oversight will be stricter: most healthcare organizations fall into this category. 'If an essential organization does not comply with NIS2, fines may follow,' he expects.

Van der Meij: 'You can compare the consequences with non-compliance with the privacy law GDPR. The Dutch Personal Data Authority fined the Haga hospital in The Hague in 2019 for insufficiently protecting patient data. But I don't expect a general practice to be fined.'

Articles 32 to 34 of NIS2 address oversight and possible fines for non-compliance. The maximum fine for essential entities is 10 million euros or 2% of annual turnover. For significant entities, the maximum is 7 million or 1.4% of annual turnover.

The Dutch Inspection for Healthcare will monitor compliance with NIS2 in the Dutch healthcare sector.

In practice, NIS2 will probably mean more emphasis on compliance with regulations around security, Van der Meij expects. So the tension between providing care and security will probably only increase. How can organizations resolve this? Sleegers advises, 'You could start by training the board so that they gain a better understanding of the area of tension. This allows them to actively contribute to solving this tension.'

Van der Meij also has practical advice: 'Don't panic! But do take action. For example, start with a risk analysis, as the Dutch government suggests. Our consultants can help you with this.'

How we can help you

Secura has a lot of NIS2 and NEN 7510 expertise. You can count on our experts to help you train your board with the NIS2 Boardroom Training. We can also help you with a NIS2 Gap Assessment and Implementation Support. Read more about our NIS2 services in the brochure below.

ABOUT SECURA

Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.

Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.